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MODULE audit (IDENT = ‘Vv04-000', 
ADDRESSING MODE (EXTERNAL = GENERAL)) = 


Mark Bramhall, 23-Mar-1984 
i MODIFIED BY: 


SeEreree 


BEGIN 
1. 
: RSnRLaNE SO Rr NpRNEERRIRS IE EE sap 
:;* & 
8 1 is COPYRIGHT (c) 1978, 1980, 1982, 1984 B * 
1 ie DIGITAL EQUIPMENT CORPORATION, " MAYNARD. MASSACHUSETTS. « 
4d : ;* ALL RIGHTS RESERVED. : 
0012 1 i* THIS SOFTWARE | Is FURNISHED UNDER A A LICENSE AND MAY BE USED AND COPIED * 
0013 1 i* ONLY IN ACCORDANCE WITH THE SUCH LICENSE AND WITH THE 
0014 1 i INCLUSION OF THE ABOVE COPYRIGHT” NOTICE. THIS SOFTWARE OR ANY OT * 
015 1 i* COPIES THEREOF MAY Y NOT B ED OR OTHERWISE MADE AVAILABLE TO ANY * 
O16 1 '® OTHER PERSON. NO TITLE TO AND OWNERSHIP OF THE SOFTWARE IS HEREBY * 
91 is TRANSFERRED. * 
° ® 
6019 1 '® THE INFORMATION IN THIS SOFTWARE IS SUBJECT TO CHANGE WITHOUT NOTICE * 
0020 1 '* AND SHOULD NOT BE CONSTRUED AS A COMMITMENT BY DIGITAL EQUIPMENT * 
0021 is CORPORATION. * 
, * 
60 : 1 i® DIGITAL ASSUMES NO RESPONSIBILITY FOR THE USE OR RELIABILITY OF ITS * 
99 4 is SOFTWARE ON EQUIPMENT WHICH IS NOT SUPPLIED BY DIGITAL. . 
i 
8 § ' EET AT a POLE AE a RT OTS SE Te aT ee RON 
oe oe 
99 0 { FACILITY: 
99 Q LOGIN 
ne i ABSTRACT: 
site) : Performs security auditing functions for LOGINOUT. 
0038 i ENVIRONMENT: 
? \ VAX/VMS operating system 
3 i AUTHOR: 
4 1 
5 1 
: 1 
1 
8 1 
1 
0 1 
11 
: 1 
1 


V03-002 MHB0146 Mark Bramhall 27-Apr-1984 
7 Make physical terminal packet optional. 
5 v03-001 MHB0123 Mark Bramhall zohor~1904 
b3 Use mandatory audit flag NSASH  ARG_FLAG_MANDY?. 


a5 
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Include files 


LIBRARY ‘SYSSLIBRARY:LIB'; 
Table of contents 


FORWARD ROUTINE 
security_audit: 


External routines 


EXTERNAL ROUTINE 
nsa$event_audit; 


! External storage (flags) 


pcd_sts: 
nsa$gr_alarmvec: 
nsa$gr_journvec: 


; External storage (auditing data) 


VECTOR C,BYTEJ, 
fail_password: VECTOR 


Oe a a tt SS a a ts 4 9) 8 8 ss 8 ts 8 st ts 


8 
1eSep-19be facto DISksuns 


VAX/VMS system definitions 
Perform a security audit 


Kernel mode auditing routine 


Job type (JIBSC_xxx values) 
True if subprocess 

PCB status (copy of PCBSL_STS) 
Security audit alarm vector 
Security audit journal vector 


Parent process PID 

Node address (ASCIC) 

Failing password desc 
Terminal name desc 

Physical terminal name desc 
Node name (ASCIC) 

Remote ID (ASCIC) 

Creator process username desc 


Pp 
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Validate NSASK _RECTYP_LOGx to NSASB_EVT_LOGx ordering so that we 
can use a record's type (NSASK_RECTYP_LOGx) to index into both 
the got audit alarm vector (NSASGR_ALARMVEC) and security 
audit journal vector (NSASGR_JOURNVEC).” In addition, define the 
offset (TO_EVT_BYTE_BIAS) to-be used to do the indexing. 


Wr 


————————— ed 


LITERAL 

to_evt_byte_bias = SBYTEOFFSET(nsa$b_evt_logb) - nsa$k_rectyp_logb; 
SASSUME (SBYTEOFFSET(nsa$b_evt_log ) FOL nsask rectyp. togh + to_evt_byte_bias); 
SASSUME (SBYTEOFFSET(nsa$b_evt_logi) ,EQL,nsa$k_rectyp_logi + to_evt_byte_bias); 
SASSUME (SBYTEOFFSET(nsa$b_evt_logf),EQL,nsa$k_rectyp_logf + to_evt_byte_bias); 
SASSUME (SBYTEOFFSET(nsa$b_evt_logo) ,EQL,nsa$k_rectyp_logo + to_evt_byte_bias); 


Validate NSASK_RECTYP_LOGx ordering so that we know our ‘‘indexed by 
record ty e'’ arrays are in the correct order. The order should be 
LOGB, LOGI, LOGF, then LOGO incrementing by 1 each time. In addition, 
define the offset (TYPE_INDEX BIAS) to be used to do the indexing 

and define the size (TYPE_INDEX_SIZE) of the arrays. 


LITERAL 
type_index_bias ? = nsa$k_rectyp_iogb, 


type_index_size : ; 


SASSUME(0,EQL,nsa$k_rectyp_logb + type_index_bias); 
SASSUME(1,EQL,nsa$k_rectyp_logi + type_index_bias); 
SASSUME (2,EQL,nsa$k_rectyp_logf + type_index_bias); 
SASSUME (3, EQL,nsa$k_rectyp Logo + type_index_bias); 
SASSUME (4,EQL,type_Tndex_size); 
} 
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3 ! Validate oy ig (JOB_TYPE = JIBSC_xxx) ordering so that we know our 

3 ! "indexed x jo ype orreys are in the correct order. The order 
7 3 ' should be DETACHED, NETWORK, BATCH, LOCAL, DIALUP, then REMOTE 
8 36 ! incrementing by 1 each time. An additiona! catagory (SUBPROCESS_ INDEX) 
9 37 ! for subprocesses (SUBPROCESS = true) is added to correspond to all 
0 38 ! possible record pyetypes. We then have array entries for subtypes 
1 39 ! DET, NET, BAT, LOC A, REM, and SUB. In addition, define the size 
: 40 1 | (JOB_TYPE_INDEX_SIZE) of the arrays. 
4 rs | 
5 4 LITERAL 
6 44 subprocess_index = 6, 
H rh job_type_index_size = 7; 
9 ‘3 SASSUME(0,EQL,jib$c_detached); ! For NSASK_RECTYP_LOGx_DET 
0 48 SASSUME (1 ,EQL,) ib$c_network); ! For NSASK_RECTYP_LOGx_NET 
1 49 et te: el] ib$c_batch); ' For NSASK_RECTYP_LOGx_BAT 
¢ 50 ASSUME (3,EQL,j ib$c_ loc ' For NSASK_RECTYP_LOGx_LOC 

1 1 SASSUME(4,EQL,} ib$c-dialup); i For NSASK-RECTYP-LOGx_DIA 

4 § SASSUME (5,EQL,) ib$c_remote); ' For NSASK_RECTYP_LOGx_RE 
5 SASSUM (Beak - upprocess, index); ! For NSASK_RECTYP_LOGx_ 
6 & SASSUME ( “EQL;job type. ndex_size); 
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nsa$k_rectyp_logi_net, 
nsa$k_rectyp_logi_bat, 


IND 
audit Logt subtypes = ! Audit LOGF record subtype array 
s 


UPLIT BORD(n 


nsa$k_rectyp_logf_dia, 


158 : ; 
135 Pure storage of event masks and record subtypes (via BINDs) ; 
161 ; 
166 BIND ‘ 
16 6 audit vector masks = ! Audit vector event mask array ‘ 
164 6 UPLIT BYTE(nsa$m_evt_log_det, ‘ 
165 6 nsa$m_evt_log_net, ° 
196 6 nsa$m_evt_log_bat, ‘ 
16 6 nsa$m_evt_log_loc, ° 
168 6 nsa$m_evt_log_dia, ; 
19? 6 nsa$m_evt_log_rem ‘ 
170 6 nsa$m_evt_log_sub ‘ 
if] ? : VECTOR Cjob_type_index_size, BYTE); ‘ 
178 7 IND ; 
174 7 audit tog subtypes = ! Audit LOGB record subtype array ‘ 
175 7 UPLIT QORD(nsa$k_rectyp_logb_det, ‘ 
176 7 nsaSk_rectyp_logb net, ° 
177 7 0, : LOGB w/ BAT doesn't exist ° 
178 7 nsa$k_rectyp_logb_loc, ° 
179 7 nsa$k_rectyp_logb_dia, : 
180 7 nsaSk_rectyp_logb_rem, . 
181 7 : _LOGB w/ SUB doesn't exist ° 
186 : VECTOR Cjob_type_index_size,WORD); ° 
184 8 IND : 
185 8 audit Logi subtypes = ! Audit LOGI record subtype array ‘ 
1% H UPLIT QORD(nsa$k_rectyp_logi_det, ‘ 
188 8 : 
189 8 ° 
190 8 e 
191 8 ° 
135 8 ‘ 
19 9 ° 
194 9 ° 
195 9 ° 
1 9 ° 
1 9 ° 
1 9 ° 

9 : 

9 

9 . 


So 
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IND 

audit_logo_ subtypes = ! Audit LOGO record subtype array 
UPLIY QORD(nsask. rectyp_logo_det, 
nsa$k_rectyp_logo_net, 
nsa$k_rectyp_logo_bat, 
nsa$k_rectyp_logo_loc, 
nsa$k_rectyp_logo_dia, 
nsa$k_rectyp_logo_rem 
nsa$k~rectyp_ logo sub) 
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: VECTOR Cjob_type_index_size,WORD]; 
IND 
audit subtypes = ! Audit type to subtype array arra 
UPLIT LONG audit _togb. subtypes, 4 é , 
dit_logi_subtypes, 
audit lost” subtypes 
audit_logo_ subtypes 
: VECTOR Ctype_index_size,LONGJ; 


ee | el 


, | 
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H 5 i e 

; $ § } } Packet building bits and prototype masks 

; 8 4 1 

; 9 5 1 LITERAL 

3 0 § 1 packet_parent_pid = 0, ! Packet w/ Parent process's PID 

; 1 1 packet_node_address = 1, ' Packet w/ Node address 

; ¢ 0228 1 packet. \og/_stetus S ¢° ! Packet w/ Login failure status 

; 0229 1 packet_fail_password = 3, ' Packet w/ Failing password 

: § 4 02350 1 packet_term_name = 4, ' Packet w/ Terminal name 

: 5 0231 } packet _phy_term_nane = 5, peehet we egeree’ terminal name 

; acket_node_name = 6, ! Packet w/ Node name 

3 5 7 9 g 1 packet-remofe. id = 5. ! Packet w/ Remote ID 

3 $36 8 : ' pechet reoser ueernene = 8. } pecker = Greater ececese usernene 
; max_posS_ packets = 9, ! Max number of possible packets 

3 6 8 $ : max-packet 8120 =2+2 + 8; ! Max packet site (type ° mech + quad) 
; og 0 34 1 LITERAL 

3; 24 0239 1 det_packets = 0 ! DET: <nothing> 

> 244 0240 § net_packets = ({ 4 packet_node_address) ! NET: Node address 

; 245 0241 OR (1 * packet_node_name) ! Node name 

: se6 0 4g 1 OR (1 * packet_remote_id), ' Remote ID 

: 247 0245 1 bat_packets = 0 ! BAT: <nothing> 

> 248 0244 2 loc_packets = ({ packet_term_name) ' LOC: Terminal name 

: 249 0245 1 OR (1 * packet_phy_ferm_name),  ! Physical terminal name 
; $20 0246 2 dia_packets = (1 * packet_term_name) ! DIA: Terminal name 

2 go) 0247 1 OR (1 * packet_phy_term_name), |! Physical terminal name 
; $26 0248 § rem_packets = (1 * packet_node_address) ! REM: Node address 

; £ 0249 OR (1 * packet_term_name) ! Terminal name 

> 254 0250 2 OR (1 * packet_node_name) ! Node name 

3s go 0251 1 OR (1 * packet_remote_id), ' Remote ID 

: 256 0252 1 sub_packets = (1 * packet_parent_pid); ! SUB: Parent process's PID 
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! Pure storage of packet masks (via BINDs) 


BIND 


audit_lo bopacks ! Audit 4968 packet mask array 


ts = 
UPLI RD(det_packets OR (1 * packet_fail_password) 
OR (1 * packet_creator username), 
net_packets OR (1 * packet _fail_ assword), 
; ! LOGB w/"BAT doesn't exist 
loc_packets OR (1 * packet_fail_password), 
dia_packets OR tf * packet_fail_password), 


i 
—OVODONOULWN OOo 


rem packets OR (1 * packet fail_ assword) , 
' LOGB w/"SUB doesn't exist 


: VECTOR Cjob_type_index_size,wORD); 

74 IND 

75 audit tin pashets = ! Audit LOGI packet mask array 
76 UPLIT QORD(det_packets OR (1 * packet_creator_username), 

77 net_packets, 

78 bat_packets, 

79 loc_packets, 


POPOPIPIPIPIPIPOPOPINIPIPYPOPETUNonunononspnororornrn 
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sub_p R pocket Leg! stetus 
: VECTOR Cjob_ftype_index_s WORD); 


8 IND 
3 audit_lo ‘packets = ! Audit LOGF packet mask array 
28 UPL I RD(det_packets OR (1 * packet_logf_status) 
$f OR (1 * packet_creator_username), 
8 net_packets OR (1 * packet_logf_status), 
8 bat_packets OR (1 * packet_logf_status), 
91 86 loc_packets OR (1 * packet_logf_status), 
9 3H dia_packets OR (1 * packet logf_status), 
29 88 rem_packets OR (1 * packet_logf_status) 
389 ackets 0 1 a )§ 
2 


me ee a a a at a et a 8 = 8 1 a 3 fy SY Ss SS ss a eh a tn ey 
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94 
9% 3 oN 
391 8 BIND 
98 9 audit Logo packets = ! Audit LOGO packet mask array 
99 94 UPLI RD(det_packets, 
00 95 net_packets, 
1 38 bat_packets, 
9 loc_packets, 
0 38 dia_packets, 
04 9 rem_packets 
05 sub-packets) 
0¢ 1 : VECTOR Cjob_ftype_index_size,wORD); 
08 08 BIND 
09 audit prpnecs = ! Audit type to packet array array 
10 5 UPLIT LONG (audit_togb_packets, 
11 audit_logi_packets, 
\§ audit_logf_packets 
1 3 audit_logo_packets 
14 : VECTOR Ctype_ifdex_Size,LONG); 


<> 
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GLOBAL ROUTINE security audit (record_type, logf_status): NOVALUE = 
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Optionally perform a security audit. 
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MEW 2S ODNA NEW 0 OO NAUS WN $0 ODNAUE WN $0 ODNAUFS UR QOOONOULS WO 


record type = Audit cecord type (NSASK_RECTYP_LOGx) 
logf_status = Login failure status for LOGF récords 


' 

i] 

i] 

! 

Outputs: 
None. 
' 


index, ndex Tnto type arrays 
type_index, ! Index into job type arrays 
audit_ flag, ! Audit fla 

packets: BITVECTOR (32), ' Packets to insert flags 
arglist_ptr; ! Packet fill in pointer 


CHSFILL(O, ZALLOCATION(arglist), arglist); ! Clear out the argument List 
type_index = .record_type; ! Fetch the type index 


ODO WORM OOo NOU Ue 
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jeb.ty e_index = .job_type; ! Assume job type will be the index 
F .subprocess ! But, if a subprocess 

THEN job_type_index = subprocess_index; ! use the subprocess index 
audit_flag = 0; ! Assume no audit initially 


IF .pcb_sts CSBITPOSITION(pcb$v_secaudit)] ! If mandatory auditing, 
THEN audit_flag = nsa$m_arg_flag_mandy; ! perform mandatory audi 


( ! If alarm aytt ting. 
-nsa$gr_alarmvec C.type_index + to_evt_byte_bias 


-audit_vector_masks ([.job_type_index] 


THEN audit_flag = ! perform alarm audit 
.audit_flag OR nsa$m_arg_flag_alarm; 


( ! If journal auditing, 
jhseSor_journvec C.type_index + to_evt_byte_bias] 


-audit_vector_masks [.job_type_index) 


THEN audit_flag = ! perform journal audit 


1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

BEGIN 

LOCAL 

arglist: ! Argument List for NSASEVENT_AUDIT 
BLOCK Cnsa$k_arghdr_length + pany pecset size * max_pos_packets) ,BYTE], 
-audit_flag OR nsa$m_arg_flag_journ; 
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IF .audit fla EQL 0 ! If no audit requested, 
THEN RETURN: © | “stapty exit 
orgt ist nsa$w_arg_ 4 ol =_.type_index; Set audit record type 
arglist (nsa$w_ar audit record subtype 


Set 
VECTOR C vau rt Raubtvpes C. i G6a0} i + tone. af _biasJ, 
x; 


e 
arglist (nsa$b_ar Ofte 4 -a dit. lag; ' Set audit flags 
aralist nsa$b oF. tTagl & mh a i Set no packets. initially 
ackets ! Get packets to do BITVECTOR 
: VECTOR C at Roce ts C. type ose’ + type_ for y +} $i 
ndex; 
arglist_ptr = arglisf *Ehsase arg Kirst ! Address packet(s) in arg List 


Fr_ppackete Cpacket_parent_pid] ! Do parent process's PID? 


OEGIN 
(.arglist_ptr) <0,16> = nsaSk_pkttyp_epid; 
arglist_ptr = argtist ptr + 2; 
(.ar List ptr) <0,16> = nash arg_mech_ long; 
arglist_ptr a arg jst ptr + 2; 


(.ar Uist ptr) <0, = .parent_ pid; ! Set parent process's PID 

arglist_ptr = .argl st ptr + 4; 

arglist- nsa$b_arg_pkthum] = arglist Cnsa$b_arg_pktnum] + 1; 
RagPeennee Cpacket_node_address] ! Do node address? 

BEGIN 


(.arglist_ptr) <0,16> = nsaSk_pkttyp_nodeid; 
arglist_ptr = .arglist_ptr + 2; 
& = List ptr) <0, i = ors 3°". mech_quad; 


ptr = .ar ; 
tnecopyt ct cele =ne baad dP ' Set node address 
ye eaddr C i “from control region 
es gH ete: ; ! aS @ quadword 


arglist pir’ = earglist_ptr + 8; 
arglist nsa$b_arg_pkthum) = -arglist Cnsa$b_arg_pktnum]) + 1; 


i appettots Cpacket_logf_status] ! Do login failure status? 


EGIN 
{(.arglist_ptr) <0, i = nsask pkttyp_ status; 
arglis st_ptr = yrargtist =ptr 

(.ar Uist ptr) <0,16> = nsagk arg_mech_ long; 
arglis t_ptr = arg jst t_ptr + 

.oor Uist ete? <0, ste f Status; ! Set login failure status 
argl pt r= .argl e 
argtist nsa$b_arg_ oh tien) = varglist Cnsa$b_arg_pktnum) + 1; 


{v_jpockets Cpacket_fail_password) ! Do failing password? 


BEGIN 
(.arglist_ptr) <0,16> = nsaSk_pkttyp_password; 
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arglist_ptr = .arglist_ptr + 2; 
Cargt ty ete? Rai > =nsath 9°"9. mech_adescr; 
= . 
carat 4 sft ptr) <0, 9433¢ fait. pissword; ! Set failing password desc addr 
argl tr = .argl ot p 


arglist- nsa$b_arg_ pk thund : varglist Cnsa$b_arg_pktnum]) + 1; 


their Cpacket_term_name] ! Do terminal name? 


Cearglist ptr) <0, 4, oat = at pkttyp. devnam; 

orgl t_ptr = .arglist_ptr 

(,arglist_ptr) "<5 i a = rneas arg. mech_adescr; 

arglist_ptr = argtist ptr + 2; 

are lor aut ptr) "<0,32> = tern name; ! Set terminal name desc addr 
-ptr = arglist_ ptr +4; 

argtist nsa$b_arg_ phtfund = .arglist Cnsa$b -arg_pktnum] + 1; 


packets y Cpocket phy. tere name] ! Do physical terminal name? 
AND H$NEQ(.phy_term_n COJ, .phy_term_name 
. term_name "t03. -term_name (1], 
THEN 
EGIN 
(.arglist_ptr) <0,16> = neem pkttyp_ devnam; 
arglist_ptr < = oral list 
(.arglist_p <0, iy = nsask arg. mech_adescr; 
argl oe . ssaratist ptr + 2; 
(.arglist_ptr) <0,32> = = ohy, term name; ! Set physical term name desc addr 


arglist_ptr = arglist_p 
erglist nsa$b_arg_ phthund = varglist Cnsa$b_arg_pktnum) + 1; 


IF apockets Cpacket_node_name] ! Do node name? 
ThE 


BEGIN 
(.arglist_ptr) <0,16> = nsa$k pkttyp_ nodenam; 
arglist_ptr = .arglist_ptr + 
(,arglist_ptr) <0, 16> = nsask arg_nech_ descr; 
arglis st_ptr = .arglist =ptr 
52 OF List gtr) <0,32> = set St -nodenane C0]; 
argl tis ptr = .arglist_ptr + 
St_ptr) <0, $25 = ctl$t nodenene tl]; ! and address 
tr = .argl q; 


(.ar . 
arglist- nsa$b_arg_ ph thon) = arglist Cnsa$b_arg_pktnum] + 1; 


! Set node name length 


arglis 


{t ;peckets Cpacket_remote_id) ! Do remote ID? 


BEGIN 
(.arglist_ptr) <0, Tees s ooom pkttyp_ usernan; 
arglist_ptr = »arotise 
vane lis ete? =P nash 9°'9- mech_descr; 
Tee ptr = of aratis Ay ptr 
targ LiSt_ptr) = reels remoteid (0); 
argit st_ptr = aril st ptr + 45 


! Set remote ID Length 


0 BR 
CJAUDIT.832; ’ ve ve 


J 


arglist_otr = .argl 


oral fst -p ptr) <0, ? ag a ctlst 
ange st Lnsa$b_arg_ pkthumd 


0000.0.000@m00 
QEARANLESES 


gesin 
Carglistep ptr) <0, lees = om 


= .argl 

nae ptr) sh 2° nsas 
argl tfstop = 
4 r) 


= 

= 
arg -ptr 
arglist- nsa$b_arg_pktnhum] = 


SCMKRNL(ROUTIN = nsaS$event_audit, 
ARGLST = arglist); 


SS FE 
3 


DAA AAIAMVIN ES & ££ 
SRIELRANLLSSS 


20 08 02 04 01 


oa =! . i. 


it 
000° ooh doo" 


: 0 00000' 


IF .packets Cpacket_creator_username] 
THEN 


tr 
Cc reator username; 


arglist Cnsa$l_arg_count] = (.arglist_ptr - (arglist + 4)) / 4; 


Pll 


Sep-1 74 VAX-11 Bliss-32 V4.0-74 
HEcSeoctgge Ghstte4 YALE elseecd2 v4sta742 
remoteid C1]; ! and address 

= carglist Cnsa$b_arg_pktnum] + 1; 


! Do creator process's username? 


pkttyp. usernam; 

arg. mech_adescr; 

! Set creator username desc addr 
varglist Cnsa$b_arg_pktnum] + 1; 


! Set # args 
} Go do the actual audit 
.TITLE AUDIT 
“IDENT \V04-000\ 
-PSECT $PLITS,NOWRT,NOEXE,2 
00000 P.AAA: .BYTE 64, 16, 1, 4, 2, 8, 32 
9007 “BLKB 1 
005 00008 P.AAB: .WORD 3. 4. 6. 2. 1. 3. @ 
007 00016 P.AAC: .WORD 7. 5. 1. 3. 2. 4.6 
7 B883 P.AAD eWORD ts 2° 1, e oO 4, 6 
00 : P.AAE: .WORD 7, 5, 1, ’ 4, 6 
00040 P.AAF: ADDRESS AuD{T (OoGB SUBTYPES, - 
AUDIT_COGI_SUBTYPES, AUDIT_LOGF_SUBTYPES, - 
AUDIT~LOGO SUBTYPES 
0 20 P.AAG ~WORD 9 ? oe 0. . e 10: 0 
— P.AAH: .WORD 6. * 0; 48. 48; 210; 1 
4 6¢ P.AAL: .WORD 260, 198. 4. 52. 5 
0 0 A P.AAJ: .WORD 194, 6, 48, da a5. 
0° 00088 P.AAK: .ADDRESS aAuoit LOGB_PACKEfS, AUDIT_LOGI PACKETS, 
UDIT_COGF_PACKETS, aud 1 'coeG. PACKETS 
VECTOR_MASKS= P.AAA 
(OGB SOBTYPES S=PAAB 
LOGI ~SUBTYPES=P.AAC 
LOGF “SUBTYPE S=P.AAD 
LOGO” SUBTYPES=P.AAE 
SUBTYPES= P_AAF 
LOGB_PACKETS= P. AAG 
LOGI “PACKETS= P.AAH 
LOGF “PACKETS= P.AAI 
LOGO"PACKETS= P.AAJ 
PACKETS= P.AAK 


:CLOGIN. SRCJAUDIT.B32; (79 
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rom nm 
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-—CoOo Oro 


oOo 
SoOoOooooooooocooo 


Fat 


89 


——O 


Sooooooooooo 
WOwm—OwovMn 


Ss Sss 
ME & 
——Mo WO 


Aw 


We MOD 
Po 
bad 


2POOooes 


2O¢ 


2S 


~+—+- 


SOooC¢ 


>>> 


9 
16-Se 
14-Se 


= 
on 
oo 


~™ 
ad 


Ww 
nr 


p=19B6 $24 


*EXTRN 


»PSECT 
ENTRY 


F 


4 VAX-11 Bliss-32_V 
0 DISKSVMSMASTER: CL 


NSASEVENT_AUDIT 
JOB_TYPE,~SUBPROCESS 
PCB’STS. " NSASGR_ALARMVEC 


HSASGR_JOURN 
PARENT-PID, CTL$T_NODEADDR 
FAIL NAME 

CTLST 


PHY NODENAME 
CTLST_REMOTEID, CREATOR_USERNAME 


0-76 
gin’ ehcrauoit.e32:10%" «(5 


SCODES ,NOWRT 2 
Se CUaITY AUDIT, Save R2,R3,R4,R5,R6,R7,R8,- 
R9,R1 


AUDIT VECTOR_MASKS, R10 
PHY_TERM_NAME, 

TERe NAME, R 

-120TSP), SP 

#0, (SP), #0, #120, ARGLIST 


RECORD_TYPE, TYPE_INDEX 
JOB_TYPE, JOB_TYPE_INDEX 
SUBPROCESS, 1 

#6, JOB TYPE_INDEX 


AUbIT_FCAG 
#3, PTB _STS+3, 2$ 

4 T_FLA 
NSASGR_ALARMVECCTYPE_INDEX], - 
AUDIT VECTOR MASKSCJOB_TYPE_INDEX3 


0310 


#1, AUDIT_FLAG : 0357 
NSASGR_JOORNVECCTYPE_INDEX], - : 0363 
AUDIT_VECTOR_MASKS(JOB_TYPE_ INDEX ; 
#2, AUDIT_FLAG > 0365 
AUDIT_FLAG : 0367 
5$ 3 
TYPE_INDEX, ARGL IST +4 ; 0370 
AUDIT SUBTYPES-16LTYPE_INDEX], R3 : 037 
(R3)CJOB_TYPE_INDEX], ARGLIST+6 ; 
AUDIT_FLAG GL + 0374 
UDIT“PACKETS=16LTYPE_INDEX], R1 : 0378 
1)CJOB_TYPE_INDEX], "PACKETS : 
GLIST+T2, ARGLIST_PTR : 0380 
PACKETS. § : 038 
#131089, (ARGLIST_PTR)+ ; 
PARENT PID, (ARGLIST_PTR)+ ; 
ARGLI : 0391 
a PACKETS 7$ 3 0394 
#19662 (ARGLIST_PTR)+ : 0397 
CIL$T NODEADDR R + 0401 
RO, CTLST_NODEADDR+1, #0, #8, (ARGLIST_PTR) ; 0403 
#8, ARGLIST_PTR : 
ARELIST SO - ; 0c03 
#2, PACKETS, 8$ : 040 
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2 
IT 16- e 24 VAX-11 Bliss-32 V4.0-742 Pa e 13 
¥0%-000 14-5 oo 138 9}: f: $5 DISKSVMSMASTER: clo GIN. SRCJAUDIT.B32:1-" J 
6 coed BF D BD MOVL #131091, (ARGLIST_PTR) 7 0411 
AC p C4 MOVL LOGF STATUS, (ARGCIST_ PTR)+ : 413 
Ar C8 INCB LIST? + 041 
11 E CB 8$: BBC ACKET 9$ + 04 
é 900s t F 00 OOOCF MOVL 935769 LARGE IST PTR) + 04 
000006 00 06 MOVAB FAIL erage CARGLIST. PTR)+ + 046 
AE Dp INCB GLI + 0429 
0D 7 g E £0 9$: BBC Hor AgKeT 10$ 3: 06 ¢ 
6 00050005 8F 50 O00E4 MOVL 276 CRRGL TST PTR)+ + 04 
6 £8 EB MOVAB n NAA (ARGLIST_PTR)+ > 0439 
09 A E INCB Fee T+ + 0441 
1D 7 05 € F1 10$: BBC a. PACKETS 118 + 0444 
) t ORB BS Boor movt. TERRA NARE +6 ° bate 
68 00 61 63 8D oF CMPCS PHY "TERM NAME. (R1), #0, TERM_NAME, (RO): dacs 
op 13 1 BEQL Ms ; 
86 00050005 8F p 1 MOVL @# 7685, (ARGLIST_PTR)+ + 0449 
69 : 10¢ MOVAB PHY TERM NAME, (ARGLIST_PTR)+ + 0453 
09 AE 96 0010F INCB ARGL + 0455 
18 57 E1 O11 11$ BBC ag P gxE 2$ > 0458 
4 90040009 F DO 0011 MOVL @# 6315 taket er PTR)+ + 0461 
4 9900006 0 9A OD MOVZBL CTLST_NODENAME, (ARGLIST_PTR)+ + 0465 
6 000000006 9E 00124 MOVAB CILST_N NODENAME+1, (ARGLIST_PTR)+ > 0467 
09 «AE 9 o1 B INCB ARE LIST+9 + 0469 
37 ? or 12$ 1ST PACKETS + 0472 
86 9004000 8F 8 01 MOVL #26 154 CARGLIST PTR)+ + 0475 
6 90000 006 00 9A 31 MOVZBL CTL$T_REMOTEID, (ARGLIST_PTR)+ : 0479 
86 0000 0006 0 9E 00140 MOVAB EIST REMOTEID#1, (ARGLIST_PTR)+ : 0481 
9 Ar 96 00147 INCB + 0483 
1 57 E1 OO14A 13S: C ee si 4$ + 0486 
86 9005000 F BO O14e MOVL @# sf . (AAcLISt p + 0489 
6 000000006 00 9€ 001 MOVAB CREATOR’ USERNAME ,~ CARGLIST. PTR)+ + 0493 
09 AE 96 01 c INCB ARGLIST39 > 0495 
50 04 AE SE 0015F 148: MOV ARGLIST#4, RO : 0498 
56 50 C2 00163 SUBL2 RO, ; 
6E 56 04 C? 00166 DIVL3 #4. R6, ARGLIST : 
bp O16A PUSHL SP : 0501 
000000006 00 9F O16 PUSHAB N ASEVENT_AUDIT : 
000000006 00 02 FB 001 CALLS » SYSSCAKRNL : 
04 0017 RET + 0503 


3; Routine Size: 378 bytes, Routine Base: S$CODE$S + 0000 


1984 01:48:47 AX-11 Bliss-32 V4. 
yo2-000 - 71383 ek Br DISKSVMSMASTER: CLOG 
3 $1) 1 
i 3i3 8803 0 ELUDOM 
: PSECT SUMMARY 
; Name Bytes Attributes 
: SPLITS }3 NOVEC,NOWRT, RD ,NOEXE,NOSHR, LCL, REL, FON NOE EAL GNIS} 
; SCODES NOVEC.NOWRT, RD. EXE,NOSHR, LCL, REL, CON,NOPIC,ALIGN(2) 
: Library Statistics 
i ae ee ae @ Syahelg scooccece Pages Processing 
: File Total Loaded Percent Mapped Time 
: _$255$DUA28:CSYSLIBILIB.L32;1 18619 75 0 1000 00:01.4 


COMMAND QUALIFIERS 
BLISS/CHECK=(FIELD, INITIAL,OPTIMIZE)/LIS=LIS$:AUD1T/OBJ=OBJ$:AUDIT MSRC$:AUDI7/UPDATE=(ENH$: AUDIT) 


i 378 code ° 152 data bytes 
Elapsed Time: : 38.2 
Lines/CPU Min: 


Lexemes/CPU-Min: 2626 
Memory Used: 205 pages 


; creme hy ng Complete 


* a 
SRCIAUDIT. B32; 79 (8) 
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